topic Re: useful custom reports in General Topics

useful custom reports

MPI-AE — Wed, 27 Sep 2017 06:44:06 GMT

Hey all,

I want to create some custom reports to get more useful information about what is going on in my network.

I would like to know - just informational - which reports do you use in your daily business?

Respectively which reports you consider as useful.

Until now, I created one report that shows me the denied packets for every last week.

Can you give me some more hints?

Thank you!

Re: useful custom reports

BPry — Wed, 27 Sep 2017 13:32:03 GMT

Here are three reports that I always schedule to run every day.

1) Reset report: I have a report that looks for the 'reset-client', 'reset-both', and 'reset-server' actions going from untrust to my dmz zone. This includes anything that reset likely due to a vulnerability or threat being identified.

2) Risk Report: This report includes the widgets Risky Users, Botnet, Spyware Infected Hosts, and Top Spyware Threats.

3) Summary Reports: Daily PDF Reports which includes the following widgets; Bandwidth trent, Top Denied Sources, Top Secuirty Rules, Risk Trent, Top Destination Countries, Top Source Countries, Threat Tred, Top Destination Zones, Top Source Zones, Top Connections, Top Destinations, Top Sources, Top Denied Applications, Top Egress Interfaces, Top Denied Destinations, Top Ingress Interfaces. So most of the widgets really.

Re: useful custom reports

MPI-AE — Fri, 06 Oct 2017 10:52:00 GMT

@BPry

Thanks for your answer!

I have a question to your risk reports:

are these custom reports or predefined?

I don't find Risky Users

and my second question:

When I take a look into Spyware Infected Hosts, there are only external ip addresses. What do I need that information for?

and 3)

Where can I find Bandwidth trent, Risk Trent and Threat Tred?

Re: useful custom reports

BPry — Fri, 06 Oct 2017 12:33:37 GMT

@MPI-AE,

The reset report that I have listed at the top is the only custom report within that list. Risky Users can be found when you are building your Report Groups, it's one of the predefined reports available within that list.

You'd want to keep the Spyware infected hosts so that you can see if an internal address shows up; I would also verify where those external IPs were going and who was communicating with them. Depending on the actual threat detected and in what direction the PA sees it going, you may see an external IP when it's one of your internal users infected.

The Bandwidth trend, Risk trend, and threat trend are again predefined reports. You can add these when you are building the Report Group or if you create PDF Summary reports.

Re: useful custom reports

MPI-AE — Thu, 02 Nov 2017 13:46:45 GMT

@BPry

Hey BPry,

I built a report group and added the predefined report risky-users.

I am wondering now, why that report doesn't show up under Monitor -> Reports?

Re: useful custom reports

BPry — Thu, 02 Nov 2017 13:56:00 GMT

@MPI-AE,

Can't really answer that one I'm afraid, I don't have any idea why it wouldn't show up there.

Re: useful custom reports

MPI-AE — Wed, 15 Nov 2017 10:12:40 GMT

@BPry

I built a good overall report, thanks for your hints.

Still a last question to the risky users:

there are a lot of different risky users shown up in the report.

They have a risk of 4 or 5.

They are sorted by "Bytes"

Why are they risky? What am I supposed to do? What entries are important?

I'm confused.

Re: useful custom reports

BPry — Wed, 15 Nov 2017 13:55:22 GMT

@MPI-AE,

It generally takes the risk associated with the app-ids identified on that user's traffic. So if you haven't modified the app-id's associated risk then it's likely just displaying your most active users.

Re: useful custom reports

MPI-AE — Mon, 20 Nov 2017 10:03:22 GMT

@BPry

I have some more questions:

-The Spyware Infected Hosts, how does the firewall know that hosts are spyware affected, especially external hosts? But also internal hosts?

-URL Report:

Is it possible to create a custom url report that doesn't list the top blocked url's but the less blocked url's?

The problem is: I have a url report that lists the top 50 blocked url's. That report isn't really helpful because all url's shown there are web-advertisments, that are accessed over 1k times.

I would like to get url's that are accessed only a few times, maybe 1 or 2. Because most likely, that's an url that was accessed consciously by a user. So I can proactively unblock these url's. Do you know what I mean?

Re: useful custom reports

BPry — Mon, 20 Nov 2017 13:35:21 GMT

@MPI-AE,

Spyware Infected Hosts are generated by what the firewall sees through the Threat database. Specifically, if you run the following filter '( subtype eq spyware )' on the threat database you'll see what it's picking up on. In this case the 'Victim' is going to be what is considered a Infected Host.

As for a URL report, your best bet there would be to simply ignore the whole web-advertisements category if it isn't something you are interested in seeing. For that I would likely recommend you create a custom report looking at the URL Log database, you would want to have the following in your Query Builder as to not display any of the web-advertisements category.

not ( category eq web-advertisements )

Re: useful custom reports

MPI-AE — Mon, 27 Nov 2017 08:24:11 GMT

@BPry

yeah that's a good idea.

Sorry, but another question comes into my mind:

In my report group that is sent every Sunday, there are included: botnet, Spyware Infected Hosts, Top denied applications, Top egress interfaces.

The problem is, these reports just show facts for the sunday.

Is there a possibilty to change that from sunday to the whole last calendar week?

Re: useful custom reports

BPry — Mon, 27 Nov 2017 14:31:44 GMT

@MPI-AE,

Since those reports are actually built into the firewall there isn't a way to modify them that I know of. That being said, all of the reports can be generated as a custom report that specifies the last 7 days so you have a full week.

Re: useful custom reports

Brandon_Wertz — Mon, 27 Nov 2017 21:20:32 GMT

@MPI-AE wrote:
@BPry

I built a good overall report, thanks for your hints.

Still a last question to the risky users:

there are a lot of different risky users shown up in the report.

They have a risk of 4 or 5.

They are sorted by "Bytes"

Why are they risky? What am I supposed to do? What entries are important?

I'm confused.

IMO, the "risk" number is to be a guage not even so much a guide.

Hell, application "web-browsing" is a 4 and "FTP" is a 5. I wouldn't necessarily base any report or security policy around a risk score.

Re: useful custom reports

BPry — Mon, 27 Nov 2017 21:24:17 GMT

@Brandon_Wertz,

Risky users can be extremely helpful if you've taken the time to customize the application risk level specific to the company you are working for. At default value you are very much correct, the risk level is likely not a good indicator to actually use for anything.

Re: useful custom reports

Brandon_Wertz — Mon, 27 Nov 2017 21:29:58 GMT

Agreed, my meaning was around the stock value of apps. Again IMO, it's akin to a shiny object you can show to leadership. Doesn't really mean you're more secure at a "3" with no security profiles than someone at a "5" who's running Threat/URL/WF services.

Re: useful custom reports

MPI-AE — Tue, 28 Nov 2017 09:56:24 GMT

@BPry

For example, when I want to create a custom report with the spyware infected hosts:

How can I do this?

There aren't so much options..

Re: useful custom reports

BPry — Tue, 28 Nov 2017 18:20:45 GMT

@MPI-AE,

The spyware report is actually pulling from the Threat database, with the ( subtype eq spyware ) as the actor.

Re: useful custom reports

DAYANAND — Wed, 15 Aug 2018 13:09:38 GMT

Hi, we can create custom reports as per our requirement, you could define the filters which you wish to observes the logs for like desti, zone, etc..One could define a time frame as well like daily, weekly and so on.

However I have a few questions that I still need ansewrs for :

1.) There is an option for grouping the traffic log reports based on destination etc.... There is a maximum limit of 500 logs only that it can produce logs for. Does that mean I get only 500 logs from the time of capture ? If I am right what happens to the traffic generated after that ? Is there a way to incerase the limit >500. Because a custome report on Panorama with a limit of 500 means nothing even if I capture hourly.

Re: useful custom reports

BPry — Wed, 15 Aug 2018 13:38:04 GMT

@DAYANAND,

It's the top 500 logs depending on whatever your sort criteria be. So if I use bytes for example, it's the TOP 500 logs as determined by the amount of bytes logged. If you are combining a 'Sort By' and 'Group By' operating within the same request you'll be limited to the Top 500 logs; however if you remove the 'Group By' you have access to as much as the Top 10,000 logs.

You have to get creative in the way you generate the reports so that the report actually gives you what you are looking for. I've yet to want to run any report that I wasn't able to work around these limitations in some way or another.

I know that there are multiple FRs to increase this capability if you want to reach out to your SE and add your vote to those requests.

Re: useful custom reports

DAYANAND — Wed, 15 Aug 2018 14:14:35 GMT

Hi @BPry

Thank you for the reply, after some thought your post made sense. I am still getting to know how the SORT BY and GROUPEDBY work in conjunction with eachother in generating reports. any explanantion in that direction will be helpful. Is there any detailed documentation with examples where I can refer for further learning. Thank you